google-workspace
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The documentation includes a setup command that downloads and pipes a script to bash from Google's official SDK distribution domain (https://sdk.cloud.google.com).
- [COMMAND_EXECUTION]: The skill configuration allows the use of the Bash tool, which is utilized for running local setup scripts and Python utilities.
- [DATA_EXFILTRATION]: Authentication artifacts, such as OAuth2 refresh tokens and service account keys, are stored in the user's home directory (~/.config/gws-agent/). While sensitive, this is a standard practice for CLI-based authentication.
- [PROMPT_INJECTION]: The skill has a risk surface for indirect prompt injection.
- Ingestion points: Reads data from external sources including Gmail messages, Google Docs content, and Spreadsheet cells via official APIs.
- Boundary markers: The provided prompts and scripts do not include explicit delimiters or instructions to ignore embedded commands in the ingested content.
- Capability inventory: The skill has access to the Bash tool, file system write operations, and full write access to the user's Google Workspace environment.
- Sanitization: The Python helper script (gws-helper.py) does not perform sanitization or validation on content fetched from external APIs before it is returned to the agent context.
Audit Metadata